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(57) ABSTRACT 

A computer implemented online music distribution system 
provides for the secure delivery of audio data and related 
media, including text and images, over a public communi- 
cations network. The online music distribution system pro- 
vides security through multiple layers of encryption, and the 
cryptographic binding of purchased audio data to each 
specific purchaser. The online music distribution system also 
provides for previewing of audio data prior to purchase. In 
one embodiment, the online music distribution system is a 
client-server system including a content manager, a delivery 
server, and an HTTP server, communicating with a client 
system including a Web browser and a media player. The 
content manager provides for management of media and 
audio content, and processing of purchase requests. The 
delivery server provides delivery of the purchased media 
data. The Web browser and HTTP server provide a com- 
munications interface over the public network between the 
content manager and media players. The media player 
provides for encryption of user personal information, and for 
decryption and playback of purchased media data. Security 
of purchased media data is enhanced in part by the use of a 
personal, digital passport in each media player. The digital 
passport contains identifying information that identifies the 
purchaser, along with confidential information, such as 
credit card number, and encryption data, such as the media 
player's public and private keys. The media player encryp- 
tion data is used to encrypt purchased media data, which is 
decrypted in real time by the media player. The media player 
also displays confidential information, such as the purchas- 
er's credit card number, during playback. 

25 Claims, 21 Drawing Sheets 
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SECURE ONLINE MUSIC DISTRIBUTION audio to a legitimate purchaser must also be secure, to 

SYSTEM prevent unauthorized users from intercepting deliveries of 

BACKGROUND tne auc *i° ^d related media over the network. 

1. Field of Invention « FinaU * ** **** P">ducl has been delivered to a 
™ . . . . 4 „ t . - , .. 5 user, it must be made secure against unauthorized duphca- 
This invention relates generally to the field of online . . , , 

, ^-ii. . j .u j r Hon by the user or by others, 

commerce, and more particularly, to system and methods for J J 

the online distribution of digital media data over public constraints on an online music distribution system 

communication networks. are m conflict w i th many of the features consumers want in 

2. Background of the Invention in terms of flexibility and ease of use. In particular regard to the 
ITierapiddevelopmentofthelnternetandthe Worldwide Purchase of audio data, such as song; and related media 

Web has primarily focused on these technologies as vehicles ^ the Sophies, Imer notes which typically accom- 

c i- r *u J* • *u r*w a„~*- pany conventional retail forms of audio) consumers want to 

for online commerce for the distribution of their products. f v , , ,. , > ' i_ • » • 

„ . , . - „ - i , be able to sample audio products prior to purchasing. It is 

From a commercial perspective, 'distribution includes the • . r ,. . ^ *. . * L 

j* * u t desirable for such an onhne music distribution system then 

two distinct phases of purchase and delivery. Many compa- L • i_ i_- i i* j 

, . *u u u i • ' tw^iu, to provide some mechanism by which users can play hmited 

nies only support the purchase phase onhne. Typically, this *\ c . ' . 

• j u j* r #i f !La„~L . portions of songs and view related media without having to 

is done by providing an onhne catalog of products and y ^ .... , ... U1 & 4 

... 3 v & . nnA t ,.a~ purchase the song. In addition, a consumer should be able to 

enabling a consumer to view the catalogs and provide Y & . ' . . 

r .. . j . i , .u- ™««„.,»<. pass on preview music to other potential new customers, 

payment information, such as a credit card, to the company s v v ...... 

Web site. The purchased merchandise is then delivered 20 Similarly, purchasers of music in traditional forms such as 

off-line by mailing to the purchaser. Overwhelmingly, the ™npact disc or cassettes are accustomed to simple, easy to 

majority of products purchased in this manner are traditional use consumer devices, such as portable compact disc players 

non-digital media, such as books, clothing, food products, 10 Payers. For the successful distribution of music over 

and the like. Even digital media, such as computer software, the Inlemet > the securi* requirements must not unduly 

video, and audio is purchased in this manner, with product 25 interfere with consumer's ease of use of the system. A 

selection and purchase being made online but the delivery consumer should be able to purchase and playback audio 

being made conventionally by mailing the digital media to easil y and securely. However, the security measures, par- 

the purchaser on a conventional medium such as floppy ticularl y ^ encryption mechanisms, should make the pur- 

diskette, CD-ROM, video cassette, audio tape or audio CD. chased audio unusable outside of the specific devices and 

In contrast to conventional online purchase^ff-line dis- 30 mechanism t0 ^ the distribution sys- 

tribution systems, a complete system for the onhne distri- tem ' 

bution of digital media, such as digital audio, would provide Similarly, consumers are accustomed to being able to play 

online support for both the purchase and delivery phases. music purchases anywhere they can carry a CD and CD 

Such an online distribution system presents a number of pl av er. Consumers will expect similar portability when 

special challenges not associated with non-digital products. 35 purchasing digital media over the Internet. Accordingly, a 

For example, with conventional distribution of music on CD desirable online music distribution system should allow a 

and cassette tapes, losses from copyright infringement from consumer to playback purchased audio not merely on a 

illegal copying of music are estimated at about SI billion single computer, but on any platform equipped with an 

worldwide, annually. The susceptibility of digital audio to appropriately licensed playback device and the licensee's 

unauthorized copying, and the ability to create perfect 40 personal identification. 

duplicates, raises the specter of even more significant losses Also, given the very high audio fidelity available today 

to the music industry, and has been the single greatest factor with conventional CD products, audio purchased over the 

in the music industry's reluctance to make music available Internet from an online music distribution system must have 

for purchase over the Internet. Thus, an online music pur- at least the same level of fidelity, or otherwise consumers 

chase and distribution system must be demonstratively 45 will not purchase such products. Thus, any encryption or 

secure from a large variety of attacks and misuses in order compression methods used must not induce significant sig- 

to preserve the music owner's intellectual property rights. nal loss, or impair playback performance. 

At least three types of risks are present in the online There already exists today various forms of online pay- 
distribution of music. First, there is a considerable security ment processing systems, such as credit card and debit card 
risk in simply maintaining digital media products in com- 50 authorization systems. In addition, many new forms of 
puter systems connected to public networks such as the online payment are now developing, and will continue to 
Internet for access by consumers. In order to effectively develop in the future, including digital cash, micropayments, 
enable purchasers to review and purchase digital media, the and the like. Accordingly, an online music distribution 
audio distributor's computer system storing such media system should not require a single form of payment, or use 
must be networked. However, given the commercial value of 55 a proprietary payment processing system. Rather, a desirable 
such digital media, whether audio data, video data, software, online music distribution system should be adaptable to 
or the like, such sites would be likely targets of computer- integrate with all forms of payment processors. Similarly, 
based attacks. Further, the very presence of an online many merchants are now providing their own online corn- 
commerce system is itself an inducement to 'crackers' to merce servers from which they offer and distribute products 
attempt to break the security controls of such a system and 60 as the retail vendor of such products. A desirable online 
gain access thereto. Thus, an online music distribution music distribution system should integrate with any variety 
system for digital media must be secure from such direct of merchant systems. 

attacks. Further, if the online music distribution system is An online music distribution system should also allow for 

compromised, it is desirable that the underlying media itself the recovery of secured audio content by consumers who 

be secure against unauthorized copying. 65 have lost the identification or other security information 

Similarly, the protocols and transmission mechanisms by (such as an encryption key) required to use their purchases, 

which an online music distribution system delivers digital In addition, independent agencies which police copyright 
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infringements should also be able to recover infringing audio data is encrypted when created by the artist with a 

copies, and identify the creator of such infringements. media key, a strong random number generated by an audio 

authoring tool. This media key is then encrypted with a 

SUMMARY OF THE INVENTION public key of the content manager. The encrypted higb- 

™ . . , c quality version of the song is combined with the lower- 

The present invenuon provides a secure onhne music J^* UMncrypted vcrs iL, descriptive information and 
distribution system that provides consumers with flexibility ^ ^ k ^ media dala fi £ The media data file 
and ease of use in the selection, previewing, downloading, ^ uploaded t0 lhe ^nteM manager for storage in the media 
and transporting of audio and other digital media over the data file systemj where it can now ^ purchased by con- 
Internet, and that provides for security of the media through- sumers. While in storage in the online music distribution 
out the distribution system. 10 system, the audio images remain encrypted and tied to the 

An online music distribution system in accordance with specific content manager, 

the present invention includes a variety of cooperative To purchase a media data file, a consumer first registers 

components that communicate over a public network, pref- ^th the media licensing center to obtain a digital passport, 

erably the Internet. These components include a content The passport is a combination of data that includes personal 

manager, one or more delivery servers, a media data file information uniquely identifying a user, information confi- 

system and media information database. Internet communi- dential to that user, and encryption key information used to 

cations by the system are facilitated by HTTP servers. Any encrypt media data for that person's use. The identifying 

number of individual purchasers use client computer sys- information is typically the user's name, address, and so 

terns with Web browsers and media players. ^ forth. The confidential information is preferably some infor- 

Secure distribution of audio is provided by three aspects mation of value to the user, such as the user's credit card 

of the present invention. First, unlike conventional media number. This information is combined in the passport with 

delivery systems, the present invention supports both phases a public-private key pair generated by the media licensing 

of distribution online: the commercial phase of a purchase center, into a digital certificate authenticating their identity, 

transaction, such as authentication of the purchaser and 2J The private key information is then separately encrypted 

payment, and the delivery of the purchased media itself. This with symmetric keys, including a user-selected passphrase, 

aspect of the online music distribution system is provided by and a strong random key. 

having the content manager control the storage of the audio The passport supports security during various phases of 

data in the media data file system, and manage the com- the purchase of media data files. First, the certificate is used 

mercial aspects of a purchase or preview transaction with the 3Q to authenticate the purchaser to the content manager and 

purchaser. On the other hand, the actual delivery of the audio delivery server. 

data is managed by one of the delivery servers. Second, the purchaser's public key from the passport is 

Given the security needs of limiting copying, preventing used by the content manager to encrypt the media key for the 

attacks on the system directly and during delivery of media data file being purchased. In this manner, only the 

products, the present invention provides secure protocols for 35 purchaser's media player can decrypt the media key for the 

consummating the purchase transaction, and for delivering purchased audio and playback the music. When the media 

the audio and other media. First, the media player of the user player receives a media data file for playback, it uses the 

and the user's identity is authenticated by the content private key stored in the passport to decrypt the media key 

manager. Second, the specific media being purchased is included in the media data file. The media key is then used 

encrypted with information uniquely identifying the pur- ^ to decrypt the audio image for playback at the user's 

chaser (and distinct from mere encryption keys), and known machine. 

only to the media player of the purchaser. In this manner, Third, the passport's inclusion of confidential information 

only the purchaser's media player can decrypt and playback ( sucn ^ the user's credit card number) is further designed to 

the purchased audio. Third, the specific purchase d e t er the purchaser from simply copying their passport and 

transaction, is itself represented by a secure and trusted 45 purchased audio and giving them to another person. During 

object which is passed between the content manager, media playback the media player displays the confidential infor- 

player, and delivery server. Fourth, once the media is deliv- mation of the user on the computer display. The display of 

ered to the media player by the delivery server, it can only the confidential information provides a powerful incentive 

be played back in the presence of various decryption keys f or the purchaser to protect the integrity of their passport, 

and confidential personal information of the purchaser. 50 an d hence indirectly protect the purchased media itself. 

In another aspect of the invention, encrypted and The integrity of the purchase and delivery phases of a 

un-encrypted versions of a song are combined into a single transaction are secured by a protocol between the content 

media data file, along with descriptive text, artwork, and manager, delivery server, the user's Web browser, and media 

other information. The encrypted version of the song is a player that uses the purchaser's passport, and a separate 

high fidelity audio image that is to be purchased. The 55 trusted data object called a media voucher. The media 

un-encrypted versions of a song are either selected portions, voucher uniquely identifies the media being purchased, the 

or the entire song, but recorded with lesser quality, such as specific purchase transaction, and the specific delivery 

increased compression and/or lower sample rate. These server to deliver the purchased media to the media player, 

un-encrypted lower quality 'clips' are available free for The specific purchase transaction is represented by a 

previewing by the consumer in order to decide whether or go voucher ID generated by the content manager. The media 

not to purchase the high fidelity version. In addition, voucher is provided by the content manager to the user's 

descriptive information, such as cover art, lyrics, credits and Web browser once the user's credit card has been checked 

the like, is also available for previewing. and payment authorized. The content manager also provides 

In another aspect of the invention, there is provided a a receipt token, a strong random number the media player 

complete security protocol that protects the purchase-quality 65 will use to complete the transaction with the specified 

audio images from creation by an artist all the way through delivery server. This completes the purchase phase of the 

purchase and playback by the user. The purchase-quality transaction. 
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The delivery phase of the transaction then takes place 128 may be conventional, with the addition of an interface 

between the media player and the delivery server, with to the media player 116 for passing information to the media 

validation of the transaction provided by the content man- player 116. 

ager. The media player creates a message authentication of The music distribution center 124 operates on server-class 

the receipt and voucher ID from the media voucher and the 5 computer systems, such as Sun Microsystems SPARCsta- 

consumer's certificate from the passport. This step binds the tions™ executing UNIX™ based operating system, or Intel 

specific transaction to the purchase. These data are trans- Pentium™ based computers executing Microsoft Corp.'s 

mitted to the delivery server. The delivery server validates Windows NT™ operating system. The media player 116 is 

the message authentication data, using the voucher ID and a a software product capable of executing on a variety of 

certificate chain from the packet and the receipt obtained 10 computer platforms, also including Apple Computer, Inc.'s 

from the content manager. This step validates the identity of Macintosh™ systems executing Apple's MacOS™ operat- 

the media player to the delivery server. The content manager ing system, and Intel Pentium based computers executing 

encrypts the media key of purchased audio images with the Microsoft Corpus Windows95 or Windows NT operating 

purchaser's public key. The delivery server can then deliver systems. 

the audio to the purchaser's media player. In this way only 15 The music distribution system 124 communicates with 

the purchaser can decrypt the purchased audio. the various other components such as the client systems 126, 

media licensing centers HO, merchant servers 132, author- 

BRIEF DESCRIPTIONS OF THE DRAWINGS ing tools 102, and rights agents 108 over a public commu- 

.... nication network, preferably the Internet, using conventional 

FIG. 1 is an illuslraUon of a secure online music distn- ^ TCMP OTmmunication protocols for insecure ch^nek, and 

button system in accordance with the present invention. a protoco , ovef Tcp such M Netscape Communica- 

FIG. 2 is an illustration of a media data file. lion i nc > s Secure Sockets Layer v. 3 (SSL), for secure 

FIG. 3 is an illustration of a media voucher. communications. The Web browser 128 of the client system 

FIG 4 is an illustration of a passport. 126 interfaces with the music distribution center 124 via the 

FIG. 5 is an event trace of the publishing process. » World Wide Web portion of the Internet using conventional 

„ , . . HTTP and HTTP over SSL, and the music distribution 

FIG. 6 is an event trace of the registration process. center's HTTP server 122. 

FIG. 7 is an event trace of the preview process. rj ata Objects 

FIG. 8 is an illustration of a Web page for selecting a The present invention separates the management and 

preview during the preview process. 30 administration of the purchase of the media content from the 

FIGS 9a 9b are an event trace of the purchase process. delivery of that media content to purchasers. This separation 

FIG. 10 is an illustration of the content manager. * supported in two ways. First, the administration and 

management of all purchases and other transactions is 
FIG. 11 is an illustration of the delivery server. primarily by the C0Dtent manager 112 , and the 

FIG. 12 is an illustration of the media licensing center. 35 delivery of the purchased media content is provided by the 

FIG. 13 is an illustration of the media player. delivery servers 118. Second, three distinct data objects are 

FIG. 14 is an illustration of one embodiment of the user used to encapsulate the information used in various stages of 

interface of the media player. the various transactions. Media content is stored in media 

data files that are encrypted, when purchased, using encryp- 

DETAILED DESCRIPTION OF THE 40 tion keys of the purchasers. Second, a media voucher object 

PREFERRED EMBODIMENTS is used to encapsulate the information specific to an indi- 

System Overview vidual transaction, including the media data being 

Referring now to FIG. 1, there is shown an illustration of purchased, and the delivery server 118 for delivering the 

a system for the secure distribution of music and related media data. Third, the link between these data entities is 

media over a public telecommunications network, such as 45 provided in a passport object which encapsulates the user's 

the Internet. The system employs a client-server architec- personal confidential information, and encryption keys, 

ture. The system includes a music distribution center 124 Media Data File 

which operates with any number of client systems 126, only Referring now to FIG. 2 there is shown an illustration of 

one of which is illustrated for convenience. The music a media data file in accordance with one embodiment of the 

distribution center 124 includes a content manager 112, and 50 invention. The media data files 200 are stored in the master 

at least one delivery server 118, an HTTP (HyperText media file system 120. Each media data file 200 includes the 

Transfer Protocol) server 122. The content manager 112 following: 

maintains a media information database 106, a master media Header 202 generally defines the information needed to 

file system 120, and a transaction database 130. In addition, decode the media data file 200. This information includes a 

the music distribution center 124 interfaces with a media 55 file format version, the location (offset) of the table of 

licensing center 110, which in turn communicates with one contents 222 in the file, and security information, such as 

or more distributed rights agent servers 108 and merchant authentication information including digital signature of 

servers 132. The merchant servers 132 interface with various data extracted from the file. 

payment processing systems 134. Client systems 126 Media descriptive data 204 is text and image data asso- 

include a media player 116 and a Web browser 128. In a 60 ciated with the audio files. These data include descriptive 

preferred embodiment, there are additional delivery servers text, such as title, artist, lyrics, and liner notes, promotional 

118 and media licensing centers 110 that operate indepen- art image data, and cover art image data. These data are 

dently and externally to a music distribution center 124, and preferably digitally signed to prevent them from being 

interface with it to provide the same functionality as its local changed. The author of the file determines whether the 

complementary components. 65 media descriptive data 204 is encrypted or not. This allows 

The client systems 126 have two basic components, a the liner notes and credits data, for example, to be freely 

media player 116 and a Web browser 128. The Web browser viewed by the potential purchasers, and thereby allows them 
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to determine whether they are interested in purchasing the 
music, while ensuring other data that have commercial 
value, such as lyrics, are viewable only by purchasers. 

The media data file 200 contains at least one media data 
chunk 206. Each media data chunk 206 includes a 5 
watermarked, compressed, and encrypted, audio image 208. 
Each of these images 208 is processed to provide different 
quality levels on playback, using different sampling rates 
and compression levels. Each image 208 encodes either the 
entire song file or a portion thereof. Use of a number of 10 
different images 208 of differing audio qualities allows the 
artist to a provide a single media data file 200 that can be 
previewed by users of different platforms and different audio 
playback capabilities. The data chunk also includes optional 
restrictions on such actions as playback and record to is 
external devices or files. 

First the audio image 208 is watermarked by inserting 
additional data directly into the audio data stream prior to 
compression. A suitable watermark is implemented, for 
example, with Solana Technology of San Diego, Calif. 20 
Compression of the audio images 208 is preferably provided 
through the use of a high-quality compression algorithm. 
Each algorithm has a unique identifier to allow the system to 
operate with multiple compression formats. Compression 
may be provided, for example, using Dolby Laboratories, 25 
Inc.'s AC-3 compression algorithm. 

The audio image 208 is encrypted with a symmetric 
media key, which is generated by the authoring tool 102, and 
is preferably a strong random number. The preferred encryp- 
tion algorithms include DES and RC4. Encryption with a 30 
symmetric media key enables the audio image to be 
decrypted in real time as it is played back by the media 
player 116. Real time decryption reduces the amount of the 
audio image 208 that is available in a memory buffer in 
un-encrypted form at any given moment, and thereby 35 
reduces the probability of an attacker obtaining an illegiti- 
mate copy of the audio image. 

As further explained below, the media key is separately 
encrypted with the public key of the content manager 112 
while media data file 200 is stored in the master media file 40 
system 120. When the media data file 200 is to be delivered 
to a purchaser, the content manager's public key is removed, 
and the media key is then re-encrypted with the public key 
of the user's media player 116. This locks the media key, and 
hence the audio image 208 to the purchaser's media player 45 
116. 

For each audio image 208, there is provided space for 
encryption parameters 210, such as DES initialization vec- 
tors. 

An index table 212 for each audio image 208 defines 50 
timing information for the image, to allow a media player 
116 or delivery server 118 to randomly access any portion of 
the audio image during play back or streaming. The index 
table 212 may be implemented as an array of timing data and 
location information. 55 

Clip and song information 214 defines the duration, 
starting time of a clip in song, and the duration of the song 
itself, along with fade-out and fade-in parameters, which are 
preferably the duration of each fade; the actual fade is then 
implemented by the media player 116. The clip audio data is 60 
not encrypted. This enables a prospective purchaser to 
preview a portion of the song. 

A "For-Sale" flag 216 defines whether the media chunk 
206 is for sale, or can only be previewed. 

A timestamp 218, such as an SMPTE timestamp, is 65 
provided for editing the media data file 200 with profes- 
sional audio editing tools. 
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A transaction ID 220 is added to each copy of the media 
data file 200 that is delivered to a purchaser. The transaction 
ID 220 is used to uniquely identify each copy of a media data 
file 200 that is purchased, and is added to the media data file 
200 by the media player 116 upon receipt. The transaction 
ID preferably includes a media voucher ID, a timestamp of 
the time of delivery to the media player 116, a certificate 
serial number of the content manager 112 authorizing the 
delivery of the media data file 200, and the certificate of the 
media player 116 receiving the media data file 200. 

Finally, the media data file 200 includes a table of 
contents 222 for the entire media data file 200. The table of 
contents 222 includes the location of each item of data in the 
media data file 200, and its type and subtype. Types include 
text, audio and graphics. Text subtypes include artist, title, 
lyrics, liner notes, and other text information. Graphic 
subtypes include cover art, and promotional art. 
Media Voucher 

The media voucher is an object that is used to control the 
purchase and preview of media data files 200. For each 
purchase or preview of a media data file 200, a new media 
voucher is created by the content manager 112 and provided 
to the media player 116 of the user. The media voucher is 
used by the media player 116 to identify both the specific 
media data file 200 to be acquired and the delivery server 
118 to provide the information. 

Referring now to FIG. 3, there is shown an embodiment 
of a media voucher. A media voucher 300 includes a unique 
voucher ID 302 which is generated by the content manager 
112, and a media ID 304 that uniquely identifies the media 
data file 200. The voucher ID 302 limits the use of the media 
voucher 300 to a single purchase or preview transaction. A 
receipt 306 is a strong random number generated by the 
content manager 112 which is used to create a message 
authentication code (MAC) of the voucher ID and consumer 
certificate to bind the delivery of the media data to the 
purchase transaction. Preferably, the MAC is a keyed mes- 
sage authentication code as defined in Internet RCF 2104. A 
delivery server address 308 is the IP address and TCP port 
of a delivery server 118 that will provide the media data file 
200 to the user's media player 116. 
Passport 

The passport is a data object that provides the security 
information particular to each user of the system. Each user 
is issued a passport by the media licensing center 110 during 
the registration process. The passport is stored on the user's 
computer and used during playback to decrypt the media key 
for each media data file 200 purchased by the user. Whereas 
encrypting the media key of a purchased media data file 200 
with the public key of a user's media player 116 binds the 
media data file 200 to a specific user, the user's passport in 
turn enables the user to decrypt the file and play it back on 
her media player 116. Further, the passport includes confi- 
dential personal information of the user, and this deters the 
user from freely copying and distributing her passport to 
others. 

Referring to FIG. 4 there is shown an embodiment of a 
passport. Each passport includes a consumer certificate 402, 
a consumer private key 412, encrypted personal information 
414, and a registration key 420. The consumer certificate 
402 is used to authenticate the purchaser of a media data file 
200, and to encrypt a purchased media data file 200. The 
certificate 402 is preferably in the ISO X.509 format, and 
issued by a trusted certificate authority, which in the pre- 
ferred embodiment is the media licensing center 110. Each 
consumer certificate 402 in the ISO X.509 format includes 
a consumer public key 404, set of validity dates 406 defining 
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the period during which the certificate is valid, a serial Media Player 

number 408, and a digital signature 410 of certificate author- The media player 116 is the mechanism by which the 

ity. consumer plays back purchased or previewed audio data, 

Tlie consumer private key 412, along with the public key and b V whicn * e consumer digitally records purchased 

404 are generated by the media licensing center 110. Gen- 5 media data files to a further external memory, such as a 

eration of the key pair by the media HceLing center 110 is ™- R ™ T6 * b }*> CD-RW Mmi-Disc, flash memory, or the 

, . . , t • i-f ' „ r • ,f. . , - f like. The media player 116 provides user interface controls 

destrable to simp .fy recovery of the pnvate key ,f the for y aJo/purchJed and stored media data files 

consumer loses it to ehmmate the need for the medu. player m ^ covcr ^ otional ^ ^ hics> read . 

116 to generate keys, and to amplify the registration pro- ^ lyrics olhef ^ informatioili organizing play lists 

tocol. 1 anc j tracklists, and other music database management fea- 

The passport 400 further includes personal and confiden- mrcs. pIG. 14 illustrates an embodiment of the user interface 

tial information 414. This information preferably identifies 0 f the media player 116. 

the user, such as the user's name 416, and other similar The media player 116 is also responsible for storing and 

information (e.g., address). In addition, confidential managing a user's passport 400, and accessing the passport 

information, such as a credit card number 418 or the like. 15 data to decrypt audio images in real time as the audio image 

This personal and confidential information is displayed by is being played back, 

the media player 116 during playback of the audio data of Media Licensing Center 

the media data file 200 The media licensing center 110 is a licensing and certifi- 

The consumer private key 412 and personal information <ate authority. New users of the system who wish to pur- 

414 are encrypted with a user's registration key 420. This 20 chase data from the music distribution center 124 must first 

key is also generated by the media licensing center 110. The re S* ter ™* media licensing center 110 to obtain a 

registration key 420 is stored in the passport 400 encrypted consumer certificate 402, including the pubhc-private key 

usingapassphraseenteredbytheuserdurmgtheregistration P«* ™« * edia h <*™*& 110 * f 

° r generating these public-private key pairs on behalf of the 

, j * j * at inn 25 media player 116 for encrypting the media data files 200 and 

When a user purchases a media data file 200, the con- , r J /l \ * . ,. . 11iC 

*-c . am i • i * i j »u ur i AtiA • other information to be received by the media players 116 so 

sumer certificate 402, which includes the public key 404, is f , . , , , t1 K- , 

.j j , .i ' no ti, ♦ t L n ' r that only a particular user's media player 116 can decrypt 

provided to the content manager 112. The content manager * f ... , . , , . J , K 

, .... AnA * , j * i f f. and playback the audio image data 208 included in a media 

112 uses the public key 404 to encrypt the media key of the , * J „_ A . , , 6 . , ~, ,. 

j. _i -.«n i. j * i • *u data file 200 purchased by that user. The media licensing 

media data file 200. When the media player U6 receives the „ n . *\, \. f 4 . & 

7 7 ' , * i - t „ 30 center HO is further responsible for authenticating new users 

media data file 200 and encrypted media key it uses the , . , *l .„ . " . , 

m 7 . , rL" , J * . . . L - 1 , , as they register, and for generating certificates that are 

registration key 420 to decrypt the pnvate key 412 to decrypt B • j- j ♦ «i u *u • *u 

T° *; , y u . . . JF 4t,^„„tL attached to various media data files by the vanous other 

he media key, which is then used to ^ components of the music distribution center 124 as they are 
itself. It further uses teie^on key 420 to m J cd th h the s tem to authenticate these components, 

personal informanon 414 which is then displayed to the user. me dia licensing center 110 further is responsible for 

The user is required to enter Ins/her passphras. . upon play- 8 > ^ ^ . 

back in order to decrypt the registration key 420. ^ * ^ issued by the media Ucensiag 

Component Overview centef uo> flre to the ^ment maa ager 112. These 

Content Manager certificates are designed to have relatively short validity 

The content manager 112 is the centra! transaction pro- ^ per iods, preferably on the order of 1 to 2 weeks. This short 

cessor of the music distribution system 124, and is respon- validity period is used to ensure that "pirate" sites can be 

sible for the overall management and administration of the snut down in a timely manner. Accordingly, the media 

"content" of the media data files, beginning with the receipt licensing center 110 is further responsible for updating the 

and storing of published media data files 200 from various certificate of the content manager 112 if it expires, 

authors, the management of preview and purchase transac- 45 Finally, the media licensing center 110 provides for gen- 

tions by individual users of media data files including the erating rights reports of the usage of media data files, and for 

encryption of media data files 200 in a manner that allows communicating such rights reports to the rights agents 108. 

only a particular user to access the media for playback, and j^e, foregoing elements are the basic components for 

the reporting to rights agents of purchases and other uses of secure distribution of music data given a collection of music 

media data for proper compensation of authors of fees and 50 and omer mec jia. In order to obtain media data files 200 for 

royalties from such uses. The content manager 112 stores distribution, the authoring tools 102 are used by individual 

details of each transaction in the transactions database 130. artists to create the audio data and associated media data in 

Delivery Server the media data files 200 to be delivered over the network to 

The delivery servers) 118 is the mechanism by which the the content manager 112 for storage in the master media data 

media data files 200 are delivered to users via the media 55 file system 120. Information descriptive of the master media 

players 116 in the client systems 126. More particularly, a data files is extracted by the content manager 112 from each 

delivery server 118 is responsible for receiving requests of the master media data files and stored in the media 

from a media player 116 to preview or purchase a media data information database 106. 

file 200 containing audio data, to route such requests to the Distribution Hub 

content manager 112 for authentication and encryption, and 60 While an artist can upload a master media file directly to 
to deliver the requested media data file 200 or portion the content manager 112 from the authoring tool 102, the 
thereof as a preview by real time streaming of the content of artist may instead forward a master media file to a distribu- 
te audio data for immediate playback at the media player tion hub 104 for augmentation. A distribution hub may be a 
116, or as a purchase by securely downloading the media computer system managed by a recording agency or record 
data file to the user's client system 126 for subsequent 65 label, or other agency, which manages or otherwise partici- 
playback by the media player 116 or recording to CD for pates with the artist in the creation and promotion of the 
playback on conventional CD players. artist's works. The distribution hub 104 may be used to add 
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agent codes which identify the rights agent responsible for 
receiving purchase and usage information from the content 
manager 112, along with agency identification codes which 
identify the artist and the media data created by the artist to 
the agency. For example, agency codes may by the product 
code or SKU code used by the agency to track each artists' 
works. 

Merchant Server & Payment Processor 

A merchant server 132 is an external system which acts as 
authorized electronic retailer of music and media over the 
network. The payment processing systems 134 are conven- 
tional payment authorization systems, such as credit card 
authorization systems or debit card payment authorization 
systems. 

Operational Overview 

The system 100 of the present invention and music 
distribution center 124 provide a number of processes and 
workflows to support the secure distribution of music and 
related media. These workflows include: 

Publishing: this is the process of transferring master 
media data files from the authoring tools 102 to the content 
manager 112. Once imported and catalogued by the content 
manager 112 into the media information database 106 the 
master media files are generally available for preview and 
purchasing by individual users. 

Registration: each entity in the system registers with the 
media licensing center 110 to obtain a certificate that is used 
for authentication of identity by the various entities of 
transferred data. In particular, a user registers to obtain a 
consumer certificate that is used by the content manager 112 
to authenticate the identity of a purchaser of a media data 
file. Authors also register to obtain an author's certificate 
that is used by the content manager 112 to authenticate the 
author when the author uploads a master media data file for 
inclusion in the master media file system 120. The content 
manager 112 registers with the media licensing center 110 to 
obtain a certificate that enables it to distribute media data 
files themselves. 

Preview: this process is supported by the delivery servers 
118 and media players 116 to provide a real time streaming 
of audio data and display of related media data at a media 
player 116. The preview enables the user to decide whether 
or not to purchase the entirety of the song for permanent 
storage on their hard disk and subsequent recording to a 
CD-R or other external device. 

Purchase: this process is the transaction of purchasing a 
media data file from the content manager 112 and its 
delivery by a delivery server 118 to a media player 116. 

Rights Reporting: The rights reporting process provides a 
tamper-proof mechanism to securely track electronic music 
distribution. This process securely uploads usage 
(purchases, previews and so forth) of media from the content 
manager 112 to various rights agents 108. This uploaded 
information describes the number of times various media 
data files have been used to allow for accurate reporting of 
such usage for the purpose of royalty payments and other 
fees to the artists, owners, record labels and so forth. These 
mechanisms allow music industry participants to protect 
their copyrights and could be used by rights reporting 
agencies to bill distributors for royalties associated with the 
volume of electronic distribution of the media data files. 
Publishing 

Publishing is the process of distributing media data files 
200 from their respective authors to the content manager 112 
for inclusion in the music distribution center 124. Referring 
now to FIG. 5 there is shown an event trace of the publishing 
process 500. First, the artist constructs 502 the media data 
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file 200 in the authoring tool 102. Generally, individual 
authors will record various musical works into a digital 
format, and obtain or design cover and promotional art to be 
incorporated with the music into the media data file 200. The 

5 artist then uses the authoring tool 102 to perform any desired 
digital signal processing, and editing on the digitally 
recorded audio data. The authoring tools also provide for 
compression of the audio images, watermarking, and 
encryption. The authoring tool 102 is also used by the artist 

10 to enter the media descriptive data 204, such as the artist's 
name, song title, lyrics, and the like, as previously described. 

An artist can include in a media data file 200 a number of 
different audio images 208, each having different quality 
levels, in terms of bandwidth, as determined by compression 

15 level and sampling rate. 

The media keys generated by the authoring tool 102 are 
preferably cryptographically secure random numbers. They 
are used to encrypt the audio images 208. 
Following construction of a media data file 200 including 

20 encryption of the audio images 208, the authoring tool 102 
establishes 504 a connection with the content manager 112, 
and transmits the filename and file length of the media data 
file 200 to be uploaded. The content manager 112 responds 
508 with its own certificate (which includes its public key). 

25 The authoring tool 102 and the content manager 112 then 
cross-authenticate each other. The authoring tool 102 
authenticates 510 the content manager 112 as follows. The 
authoring tool 102 receives a timestamp and a hash of the 
timestamp, the authoring tool username and password all 

30 encrypted with the content manager's private key. The 
authoring tool re-creates the hash, decrypts the hash sent by 
the content manager and compares the two. If these items 
match, this verifies that the content manager 112 has the 
matching private key, and authenticates the content manager 

35 112 to the authoring tool 102. The authoring tool 102 further 
validates 512 that the content manager's certificate is signed 
by the issuing certificate authority, which in this case is the 
media licensing center 110. 
The content manager 112 then authenticates 514 the 

40 authoring tool 102 in a similar manner, receiving the cer- 
tificate of the authoring tool 102 and a hash of some 
information available to the content manager encrypted in 
the authoring tool's private key. The content manager 112 
also validates 516 the certificate of the authoring tool 102. 

45 Other authentication protocols may also be used between the 
authoring tool 102 and the content manager 112. 

Once the cross-authentication is complete, the authoring 
tool 102 encrypts 518 the audio images 208 with the media 
key and encrypts 520 the media key with the public key of 

50 the content manager 112 using the specified encryption 
algorithm. Now only the content manager 112 can decrypt 
the media key, and hence decrypt the audio images 208. The 
authoring tool 102 finally transmits 522 the complete media 
data file 200 to the content manager 112. 

55 The content manager 112 receives the media data file 200 
and extracts 524 the media descriptive data from it, and 
updates 526 the media information database 106 with a new 
entry for the media data file 200. The content manager 112 
also stores 530 the media data file 200 in the master media 

60 data file system 120. If the 'For sale' flag 216 of the new 
media data file 200 is set, then the media data file 200 is 
ready for purchase by a consumer. The security of the media 
data files 200 in the master media data file system 120 is 
provided by the persistent encryption of the individual 

65 media keys for each media data file 200 with the public key 
of the content manager 112. Additional security for the 
private key of the content manager 112 may be provided by 
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tamper-proof hardware, for example, GTE Interne tworkiog/ 110 that is stored in the media player 116, using the public 

BBN's SafeKeyper Signer product. key of the root certificate to decrypt a hash of the certificate 

Registration and compare that decrypted hash with a newly generated 

Registration is the process of the purchaser establishing a hash. If the hashes are identical, the next certificate is 

trusted identity to the music distribution center, for engaging 5 authenticated in a same manner. 

in later transactions. Referring now to FIG. 6 there is shown Once the passport is validated, the media player 116 

an event trace of the process of registration 600 by user. queries the user to obtain 624 a passphrase for the registra- 

When the media player 116 starts up, it checks 602 for the tion key. The media player 116 then encrypts 626 the 

existence of the user's passport 400 containing the user's registration key 420 with the user-supplied passphrase. 

private key. If the passport 400 does not exist, the media 10 Registration encryption is preferably implemented with 

player 116 will launch 604 the Web browser 128, providing RSA Data Security, Inc.'s BSAFE PBE (MD5+DES) algo- 

it a URL to a registration page of the media licensing center rithm. 

110. The Web browser 128 requests 606 the registration The passport is then stored 628 to the local file system of 

page, which is returned and displayed 608 by the Web the client computer 126. The passport 400 may be stored in 

browser 128. is a default location, or a user's specified one. The file format 

The registration page is a form which collects the personal for the passport 400 is operating system independent to 

information necessary to register the user. This information provide for portability of the passport 400 between 

includes full name, billing address, telephone number, email Microsoft Corp.'s Windows operating system and Apple 

address, credit card number and expiration date. Other Computer Inc.'s MacOS. 

personal information that may be collected includes a driv- 20 The user is now authorized to purchase and preview 

er's license number, and the like. The user enters this data music from the system. 

into the Web browser 128, and presses, for example, a In a preferred implementation, the passphrase while in 

Register button, which invokes a CGI script on the server memory and the decrypted private key should be safe from 

122 to return 610 the registration data to the media licensing ActiveX, JavaScript, and similar forms of attack applets that 

center 110. This information is preferably transmitted over a 25 could illegitimately copy these keys and return them to an 

secure communication link, such as Netscape attacker. In addition, while the media player 116 is active, 

Communications, Inc.'s Secure Sockets Layer v. 3. the media key should remain encrypted as much as possible. 

The media licensing center 110 extracts the credit card On losing the registration key 420 or the passphrase that 

information and verifies it by requesting 612 a credit card encrypts it, the registration key 420 can be sent again from 

authorization from a payment processor 134. The credit 30 the media licensing center 110 to the media player 116 via 

authorization is returned 614 to the media licensing center the Web browser's SSL connection to a Web server on the 

110 if approved. If the credit card is not approved, the media media licensing center 110. 

licensing center 110 returns a page to the Web browser 128 The media licensing center 110 maintains a persistent 

with an error message, and request for a different credit card database of all consumer certificates issued, including the 

number. 35 personal information 414 associated with each certificate. 

Once the credit card is authorized, the media licensing Preview 

center 110 generates 616 a new passport 400 for the user's Referring now to FIG. 7 there is shown an event trace of 

media player 116. The media licensing center 110 generates the process 700 of previewing a media data file 200 prior to 

a public/private key pair to be the consumer's public key 404 purchase. 

and private key 412. The media licensing center 110 formats 40 Previewing begins with the user viewing a Web page in 

the passport 400 as an ASCII file, including: the Web browser 128 that has a link to a preview of a desired 

(a) a certificate chain, which includes a hierarchy of media data file 200. FIG. 8 illustrates an exemplary Web 

certificates, serially signed. The certificate chain begins page for selecting a preview. Hie link is to the HTTP server 

with the certificate of the media licensing center 110 122, and when clicked, the Web browser 128 invokes 702 

certificate authority and terminates with the consumer « the HTTP server 122 with a request for a preview of a media 

certificate 402 data file 200 ■ The URL for tDC ^ encodes the media 10 and 

' . ™ . . . type of request, whether for a clip or the entire song, 

(b a consumer certificate 402 s.gned by the ^ media ™ ^ £ w for 

hcensingcenterUO.mcludingthegeneratedpublickey w> ^ JM ^ ^ £ 2 yia „ 

50 insecure TCP connection, passing in the media ID and 

(c) the consumer's private key 412, encrypted with a fequest type> here a previ6W type reqU est. 

strong, randomly generated registration key 420. ^ man ager 112 receives the preview request, 

(d) the consumer personal information 414, also anc i validates 706 that media data file 200 specified by the 
encrypted with the registration key. media ID exists. In a preferred implementation this is done 

(e) the registration key 420 in cleartext. 55 by accessing first a cache of media IDs of frequently 
The consumer's private key 412 and personal information accessed songs. If the requested media ID is not present in 

414 is also digitally signed by the media licensing center's the cache, the content manager 112 then checks the master 

private key to prevent tampering. media file system 120 for requested media data file 200. If 

The passport 400 is then returned 618 to the Web browser the media data file 200 is not present here, the content 

128 over the secure connection, with a predefined MIME 60 manager 112 returns an error. 

type that identifies it to the Web browser 128 as being data Assuming the content manager 112 confirms the existence 

for the media player 116. The Web browser 128 passes 620 of the requested media data file 200, it then determines 708 

the passport 400 to the media player 116. whether a delivery server 118 is available to handle request 

The media player 116 then validates 622 the passport 400 to preview the file, 

for authentication and tamper detection by authenticating the 65 In a preferred embodiment, each delivery server 118 is 

certificate chain. The certificate chain is authenticated by licensed and configured by the system provider to have a 
starting with a root certificate of the media licensing center limited number of active streams of data being delivered at 
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any one time. The content manager 112 maintains a list of 
the delivery servers 118 it operates with, and the number of 
active streams and total streams for each delivery server 118. 
Each delivery server 118 registers with a content manager 
112, providing its network address. The content manager 5 
112 configures each registered delivery server 118 with the 
number of stream allocated to the delivery server 118, the 
base UDP port to be used for the streams, and a port number 
for accepting streaming requests on. 

When a delivery server 118 allocates a stream then, it 10 
updates the content manager 112 with this information. 
Accordingly, to determine availability of a delivery server 
118, the content manager checks this list for the first 
available delivery server 118 which does not have all 
streams allocated. If no streams are available, then the 15 
content manager 112 returns a message to the Web browser 
128 indicating that the preview cannot be delivered at the 
present time. 

Assuming the content manager 112 identifies an available 
delivery server 118, the content manager 112 generates and 20 
returns 710 to the HTTP server 122 a media voucher 300. 
This includes the network address 308 of the delivery server 
118 and port number, voucher ID 302, and media ID 304. 

The HTTP server 122 generates and returns 712 to the 
Web browser 128 an HTTP response embedding the media 25 
voucher data. A MIME type is defined that causes the Web 
browser 128 to invoke the media player 116 with the 
response data. 

The Web browser 128 receives the HTTP response and 
stores 714 the data of the media voucher 300 in a local file. 30 
The Web browser 128 then passes 716 the file name of this 
file to the media player 116. 

The media player 116 receives the file name of the media 
voucher 300, reads the file, extracts 718 from the media 
voucher 300 the delivery server address 308 and port, 35 
voucher ID 302 and media ID 304. The media player 116 
then sets up communication channel with the specified 
delivery server 118 and passes 720 in the voucher ID 302 
and the media ID and bandwidth requirement, which is an 
estimate of the media player's Internet connection band- 40 
width. The media player 116 also provides port information 
identifying which ports it is to receive the streamed audio 
data from the delivery server 118. 

The delivery server 118 receives the voucher ID and 
media ID and contacts 722 the content manager 112 to 45 
obtain the media information from the media information 
database 106. The delivery server 118 specifies to the 
content manager 112 the media ID for the media data file 
200, and the number of, and specific types of information to 
be retrieved from the media descriptive data 204. This step 50 
is to obtain the most current information about the media 
data file 200, in case there have been any updates, for 
example to the price information or other data. The content 
manager 112 responds 724 with media information of each 
requested type. 55 

The delivery server 118 then transmits 726 the media 
information to the media player 116. This information 
informs the media player 116 of the duration of the clip or 
song, data size of the encoded audio to be delivered, starting 
and ending times of the clip, fade-in and fade-out durations, 60 
and bandwidth. 

The delivery server 118 then streams 728 the media data 
file 200 to the media player 116. To stream the media data 
file 200, the delivery server 118 notifies the content manager 
112 that it is allocating one of its streams for a particular 65 
request by providing to the content manager 112 the voucher 
ID 302 of the media voucher 300, the network address of the 
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media player 116 to receive the stream, the bandwidth 
requested by the media player 116, and the media ID of the 
requested media data file 200. 

The media player 116 receives the streamed media data 
file 200 and plays 730 the audio image according to the 
provided media information parameters. At any time, the 
user can instruct the media player 116 to stop the stream and 
download any free data over the same connection. When 
streaming is completed, the delivery server 118 notifies the 
content manager 112 to release the stream, indicating the 
voucher ID 302, the status of the stream, the duration of the 
song that was played by the consumer, and which audio 
image 208, if any, was downloaded to the media player 116. 

The user interface of the media player 116 supports 
controls to control the streaming of the audio, including fast 
forward, rewind, pause, and stop controls. To implement 
these controls, the media player 116 and delivery server 118 
use a time-based transport protocol. The media player 116 
sends transport instructions to the delivery server 118 that 
specify a time offset within an audio image at which to begin 
playing. The delivery server 118 then either advances or 
rewinds to the specified time. Fast forward user controls 
cause fixed increments of time advance, and rewind controls 
cause fixed decrements of time. Negative time values are 
used to indicate stopping and resuming play. 
Purchase 

Referring now to FIGS. 9a and 9b there is shown an event 
trace of the process 900 of purchasing a media data file 200 
for persistent storage and playback by a user's media player 
116. 

First, the user will be viewing in the Web browser 128 
some form of menu, catalogue, index or other listing of 
music and media available for purchase, and may be similar 
in form to the preview listing of FIG. 8. From the user's Web 
browser 128 a purchase request for a specific song is sent 
902 to the HTTP server 122, for example by the user 
clicking on a "Buy It" button. The button generates a URL 
including the media ID of the song to be purchased. For 
example, an invocation of the HTTP server 122 may look 
like: 

https://web-server-addr/cgi -bin/purchase? mid=MID 
where web-server-addr is the hostname or IP address and 
TCP port of the HTTP/SSL server and MID is the media ID. 

The HTTP server 122 forwards 904 the purchase request 
data to a merchant server 132 to initiate authorization for 
payment for the requested media data file 200. A preferred 
implementation uses a secure connection to transfer this 
data. 

Payment information is preferably collected at this time. 
The merchant server 132 generates a payment request form 
and transmits 906 this form back to the HTTP server 122 for 
display 908 at the Web browser 128. 

The user completes 910 the form, which preferably 
requests the user's name, credit card number, and expiration 
date. For example, an invocation of the HTTP server 122 
may look like: 

https://web-server-addr/cgi-bin/ccinfo?cc«CCNO&exp= 
DATE&mid«MID. 
where CCNO is a credit card number, and DATE is the 

expiration date of the credit card. 

This data are then transmitted back 912 to the HTTP 
server 122 which passes 914 it to the merchant server 132. 
If payment information is not collected at this stage then it 
must be collected after a reservation has been generated (see 
below). 

The merchant server 132 requests 916 a reservation for 
the requested media data file 200 from the content manager 
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112, passing in the media ID of the requested media data file 
200, a requested quality level (bit rate and number of 
channels in the audio image). The reservation verifies that 
the requested song at the specified quality level actually 
exists in the master media files 120 and is available for 
purchase. 

The content manager 112 looks up the received media ID 
in the media information database 106 to confirm 918 that 
the requested song exists and is available for purchase. If the 
media data file 200 identified by the media ID exists in the 
database, then the content manager 112 returns 920 to the 
merchant server 132 a voucher packet. Otherwise, the con- 
tent manager 112 returns a message indicating the media ID 
does not correspond to a known media data file 200 or that 
the corresponding file is not available for sale; this infor- 
mation is communicated back to the Web browser 128. 
Preferably, the content manager 112 also checks whether the 
IP address of the merchant server 132 is known by compar- 
ing it against an previously trusted IP address of the mer- 
chant server 132. This step ensures that a known merchant 
server 132 is indeed sending the reservation request. 

The voucher packet includes a voucher ID generated by 
the content manager 112 to track the reservation, a times- 
tamp marking the start of the reservation, an expiration 
lifetime defining in seconds when the reservation becomes 
invalid after the time stamp, an authorization token that 
marks reservation as authorized, or as unauthorized in order 
to remove the reservation. Finally, the voucher packet 
includes a receipt token, which is returned in the media 
voucher to the media player 116 for initiating download of 
the requested media data file 200 from a delivery server 118. 
The authorization token is a secret token between the 
content manager 112 and the merchant server 132 and is not 
revealed to the user. This token and the receipt token are 
preferably strong random numbers. 

Hie content manager 112 updates the transaction database 
130 to include a new entry with the data from the voucher 
packet. This data will be used subsequently to authenticate 
a download request from the media player 116 against a 
validated purchase. More particularly, the content manager ^ 
112 maintains three sets of data regarding reserved and 
available for retrieval media files: 

i) Pending purchases. These are media data files 200 that 
are reserved but not yet authorized for delivery; 

ii) Purchased and not delivered. These are media data files 
200 that have been authorized for delivery and for 
which a receipt token has been issued but not yet 
redeemed; and 

iii) Purchased and delivered. These are media data files 
200 for which a receipt token has been issued, 
validated, and redeemed by delivery of the file to the 
requesting media player 116. 

When a voucher packet is issued for a reservation, it is 
added to the list of pending purchases. 

In an alternative embodiment, an electronic wallet is used 
to provide the payment data. In this embodiment, the mer- 
chant server 132 generates a Web page with a "Wallet" 
button and a "Retrieve It" button. When the user clicks on 
the wallet button, the merchant server 132 returns an invoice 
with a "wallet" MIME type, indicating the amount of the 
purchase. The Web browser 128 launches a wallet applica- 
tion that is specific to the wallet MIME type. This wallet 
application recognizes the invoice information, and displays 
to the user a set of selections of different payment forms 
available to the user, such as electronic cash, check or 
specific credit card. The user selects one of these payment 
forms. The wallet application then connects to the merchant 
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server 132 (using a network protocol defined by the wallet 
application manufacturer), and delivers the required pay- 
ment information. The consumer clicks a *Pay* button to 
consummate the transaction. 

In either embodiment, the merchant server 132 connects 
to a payment processor gateway 134 to request payment 922 
by verifying the availability of funds and receiving 924 
payment authorization. 

Once the merchant server 132 has received payment 
authorization, it notifies the content manager 112 that the 
user has purchased the media associated with the voucher 
ID. This is done by providing 926 the voucher ID and 
authorization token previously sent to the merchant server 
132, and a flag indicating the new state of the reservation as 
authorized for delivery. The content manager 112 updates 
the transaction database 130 to reflect that the voucher 
packet for this voucher ID has been authorized for purchase 
and download. This notification authorizes the content man- 
ager 112 to enable the requested media data file 200 for 
delivery. The content manager 112 returns 928 the voucher 
ID and an updated authorization token, which is needed in 
case the reservation needs modification. 

After the merchant server 132 has authorized a purchase, 
it logs this information to an internal purchase database. 
Purchase logging has two purposes. First, it enables the 
merchant to keep track of what media has been sold, and 
second, allows the merchant to accurately report to a rights 
agent 108 for copyright notification and billing purposes. 
Two logs are preferably used: a merchant log and an audit 
log. The merchant log is plaintext, where as the audit log is 
stored encrypted. The audit log is uploaded periodically to 
the media licensing center 110. The protocol for creating and 
validating the audit log is described under RIGHTS 
REPORTING below. 

In the wallet payment embodiment, the merchant server 
132 returns a payment receipt to the wallet application. 

In the non-wallet case, the merchant server 132 creates 
and sends 930 a Web page, via the secure HTTP connection 
established originally, to the Web browser 128 with a 
'Retrieve It* link for display 932. The Retrieve It link is 
established with the URL of the delivery server 118 to 
provide the requested media data file 200. An example of 
this data is: 

https:/Aveb-server-addr/cgi-bin/lavs?vid=VVV&receipt= 
RRR 

where VW is the voucher ID and RRR is the receipt token. 

When a user clicks 934 on this link in the Web browser 
128, another secure HTTP connection is setup by the Web 
browser 128 with the HTTP server 122, and the voucher ID 
and receipt token returned 936 to a CGI script that contacts 
938 the content manager 112 to request the media voucher 
300 containing the voucher ID, receipt token and delivery 
server network address and port number. The content man- 
ager 112 generates the media voucher 300 and returns 940 
it to the Web browser 128 via the secure HTTP connection. 

The media voucher 300 is encoded with a MIME type that 
identifies it as data for the media player 116. Accordingly, 
the Web browser 128 passes 942 the media voucher 300 to 
the media player 116. 

The media player 116 prompts 944 the user to enter the 
passphrase associated with the private key registered to the 
media player 116. Depending on a user-settable preference, 
the prompt will appear once per session or every time. 
Security is provided at this step by the passphrase protection 
of the user's private key 412 in their passport 400. " 

The media player 116 uses the receipt token (the shared 
secret with the content manager 112) to authenticate 946 the 
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voucher ID 302 and the consumer certificate 402. The media 
player 116 establishes an unsecure TCP connection to the 
delivery server 118 using the address and port specified in 
the media voucher 300. The media player creates a message 
containing a keyed MAC of the voucher ID 302 using the 
receipt token as the key. This message is signed and sent 948 
to the delivery server 118 to start the download procedure. 
The delivery server 118 sends 950 the encrypted data and the 
cleartext voucher ID 302 to the content manager 112 for 
verification. 

The content manager 112 maps the voucher ID 302 to the 
receipt token in the transaction database 130. The content 
manager 112 then uses the receipt token to verify 952 the 
MAC encoded voucher ID and other data. 

If the voucher ID is verified, the content manager 112 
encrypts 954 the song's media key with the public key of the 
media player 116. In this manner, the media becomes 
specifically and individually licensed to the consumer; the 
media data file 200 is now referred to as the licensed media. 
Security in this step of the transaction is provided by the fact 
that media player 116 must prove that it has both the 
public/private key pair issued by the media licensing center 
110 and the receipt sent as part of the purchase transaction. 
The certificate chain is validated upon receipt from the 
player. 

The content manager 112 then returns 956 the encrypted 
media key, along with audio quality information (bit rate and 
number of channels), the public key algorithm used with the 
media key itself and encryption parameters, the authoriza- 
tion token, media ID, the voucher ID, and the content 
manager's certificate serial number, and the media player's 
certificate number to the delivery server 118. 

The delivery server 118 retrieves 958 the licensed media 
from the master media data file system 120 according to the 
media ID included in the media voucher 300, and sends 960 
it to the media player 116 using a secure protocol, such as 
SSL, to ensure that no one else can determine which music 
is being downloaded by the media player 116. The down- 
loaded media data is hashed by the media player 116 and 
sent back to the delivery server 118 to verify complete 
receipt. In a preferred embodiment, the delivery service 118 
limits the rate of the data transfer to the media player 116 to 
conserve network resources. 

Once delivery is complete, the delivery server 118 notifies 
962 the content manager 112, indicating the voucher ID, 
media ID, receipt token, time duration of the download, and 
the authorization token. The content manager 112 updates its 
transaction database 130 to reflect that the media data file 
has been delivered. 

When a received media data file 200 is to be played back 
964 (either immediately or at a later time), the consumer's 
passphrase is entered. The media player 116 extracts the 
encrypted registration key 420 from the passport 400 and 
decrypts it with the passphrase. The media player 116 then 
extracts the encrypted private key 412 from the passport 400 
and decrypts it with the registration key 420. The media 
player 116 then decrypts the media key with the consumer's 
private key 412. Finally, the media key is then used to 
decrypt the audio image 208 in real-time as the media is 
played. 

As the audio image 208 is being played back, the con- 
sumer's personal information 414 from the passport 400, 
including their confidential information 418, is preferably 
displayed in the user interface of the media player 116. The 
display of this information is a strong deterrent to the user 
to transferring an illegitimate copy of the media data file 200 
to another user. In addition, because the media player 116 
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provided the consumer certificate 402 as part of the delivery 
protocol, the certificate serial number embedded in the 
media data file along with the voucher ID 302. This enables 
either the merchant owning the merchant server 132 which 
5 sold the music, or the media licensing center 110 to lookup 
the consumer's personal information and identify this person 
as the source of an illegitimate copy of the media data file 
200. 

Rights Reporting 

10 When the content manager 112 is started, it communicates 
with the media licensing center 110 to initiate a secure 
tamper-resistant log to be used for rights reporting informa- 
tion. They negotiate a shared secret, a cryptographically 
strong random number, that will be used to encrypt and 

15 validate the log. The secret is stored only on the media 
licensing center 110 so the log created by the content 
manager 112 can only be verified once it is delivered to the 
media licensing center 110. 
A secure log entry is created for every media data file that 

20 is sold. When an entry is made the secret is used as a key for 
encryption and for creating a keyed MAC and is then hashed 
with a string to create the key used for the next log entry. The 
keyed MAC covers the encrypted log entry along with a 
"running hash" that is updated by hashing the current 

25 encrypted data into the old hash value. Since the encryption 
key and MAC key are different for each log entry and are 
created via a one-way hashing function, the only way to 
validate the log or decrypt an entry is to start with the shared 
secret which is stored only on the media licensing center 

30 110. This makes the log significantly secure against tamper- 
ing once it is created. Also, since the hash on each entry 
covers all previous entries it is not possible to remove entries 
in the middle of the log without detection when the log is 
validated at the media licensing center 110. 

35 This logging protocol is used for making entries each time 
a media data file is completely downloaded by the media 
player 116. The log entry includes a timestamp, the track 
title, the artist name, the track authors, the song length, the 
sale price, the certificate ID from the media player 116, the 

40 voucher ID, the media data file name and a descriptor for 
which audio image was downloaded. The logs are uploaded 
to the media licensing center U0 on a periodic basis and 
validated off-line by a batch process. Once validated, the 
purchase information can be processed (e.g., totaled by 

45 artist, track, and the like) to determine proper royalty or 
other payments based on sales and previews. 
Component Architecture 
Content Manager 
Referring now to FIG. 10, there is shown an illustration of 

50 the software modules of a preferred embodiment of a 
content manager 112. The content manager 112 includes a 
database access module 1002, a security module 1004, an 
administration module 1006, a rights reporting module 
1008, a publishing module 1010, a commerce module 1012, 

55 a logging module 1014, and a certificate update module 
1016. 

Database access module 1002: This module manages all 
requests for data from the master media file 120 and media 
information database 106. The various other modules inter- 

60 face with this module to retrieve, update, create, or delete 
media data file 200, media descriptive data 204. The data- 
base module 1002 receives data requests typically as name, 
value pair, and translates these requests to SQL requests on 
the underlying databases. 

65 Publishing Module 1010: This module provides the inter- 
face for both external uploading from the authoring tool 102 
of the media data files 200, and importing media data files 
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200 from the local file system of the computer hosting the The commerce module 1012 also maintains a list of 

content manager 112. reserved and available for retrieval media files, including 

More particularly, the publishing module 1010 exports the tracking of pending purchases, purchased and not delivered 

following functions: files, and purchased and delivered files. The commerce 

Upload File: This message is sent by the authoring tool 5 module 1012 exports the following functions: 

102 to initiate the uploading of a media data file 200. The Preview: This message sends a media ID 304 and obtains 

message includes the length of the media data file 200 to be a med j a voucher 300 which includes the address and port of 

uploaded, flags indicating whether the file is to be created, a delivery server 118 where the media may be streamed for 

overwrite an existing file, and it is a secure upload, and a file p revi ew and a voucher ID 302 used for tracking the trans- 

name of the file. If the file is to be securely uploaded, the J(J action 

publishing module 1010 obtains from the security module Reserve; ^ m ^ ^ 

1004 the content manager's public key to encrypt the media identifying the audio image 208 within the media 

key for the audio image, the content manager s certificate, , ijCI1 j, l i_ r ^ i_ i / 

and the algorithm used to encrypt the public key itself. This ^ ata file to ^f 6 ™' ai !? the nun * er ° f ch ^L 

information is passed back (508, FIG. 5) to the authoring m ° no " "stereo ). It receives back a voucher ID 302 for 

tool 102 during the publishing process to authenticate the « tracking the transaction, a timestamp for the start of the 

content manager 112. transaction, a timeout value representing the number of 

Upload Data: This message is sent by the authoring tool seconds for which the reservation is valid, an authorization 

102 to the content manager 112 and contains the data being string for modifying the reservation and a receipt string for 

uploaded (522, FIG. 5), as described in the previous mes- the play to use in downloading the file, 

sage. 20 Authorize: This message sends a voucher ID 302, an 

Upload Abort: This message ends an in-progress upload. authorization string and a state value indicating that the 

Upload Space: This message requests the amount of free reservation should be made available for download. It 

space available on the content manager 112 for new uploads. receives back a new authorization string for making further 

The publishing module 1010 responds with a total number modifications to the reservation, 

of kilobytes allotted for uploading, and a number of free 25 Expire: This message sends a voucher ID 302, and 

kilobytes remaining. authorization string and a state value indicating that the 

Import file: This message instructs the publishing module reservation should be removed from the system. 

1010 to import a file from the local file system. Deliver: This message sends a voucher ID 302 and a 

list Project: This message obtains a list of the file or receipt 306. It receives back a media voucher 300 which 

subprojects in a local directory; the message data specifies 30 includes the address and port of a delivery server 118 where 

the pathname of the directory. The publishing module 1010 the media may be downloaded, a voucher ID 302 used for 

responds with the number of entries for project, the filename tracking the transaction and a receipt 306 used to validate the 

of each entry and a flag for each entry indicating whether it media player 116 at time of delivery, 

is a file or a subproject. Administration Module 1006: This module defines the 

File Info: This message requests detailed information for 35 operation parameters of the system, including the number of 

a file, specified by pathname. The publishing module 1010 delivery servers and the number of active streams allocated 

responds with the length of the file, flags indicating file type, to each server, which ports are used by content manager 112 

and a URL to request streaming of the file. for network sending and receiving requests, and the number 

Create Project: This message requests creation of a of songs available for purchase. This module also manages 

project, specified by pathname. 40 and tracks performance statistics, such as overall volume, 

Rename File: This message renames a file from a sped- throughput, and the like. The administration module 1006 

fied source pathname to a specified destination pathname. exports the following functions: 

Delete File: This message deletes a file specified by Get Config: This message obtains the current configura- 

pathname. tion data in the form of a configuration file. 

Security Module 1004: This module manages the various 45 Set Config: This message uploads a configuration file to 

encryption processes provided by the content manager 112. the content manager 112 to set the configuration. 

These include encryption of media keys, and digital signing CM Shutdown: This message shuts down the content 

of certificates and other data. Key generation is preferably manager 112. 

provided by RSA BSAFE key generation routine. Symmet- DS Shutdown: This message shuts down the delivery 

ric encryption of media keys is provided by RSA BSAFE 50 server 118, specified by network address. 

PBE algorithm. Digital signature is provided by the MD5+ Delete DS Configuration: This message shuts down a 

RSA algorithm. delivery server 118, specified by network address, and 

Commerce Module 1012: This module manages the trans- removes the delivery server 118 from the content manager's 

actions for previewing and purchasing media data files 200. configuration. 

This module interfaces with the security module 1004 to 55 CM Statistics: This message requests system statistics, 

obtain encryption services, and with the database access The administration module 1006 responds with: 

module 1002 to obtain media information. The commerce Uptime: the amount of time the content manager 112 has 

module 1012 also determines which media data files 200 are been running. 

available for sale. , . , . #Vouchers: the number of media vouchers 300 issued by 

The commerce module 1012 interfaces with the merchant 60 ^ comerJ t manager 112. 

server 132 to receive requests for purchases and to provide ^ . «• u c aa*k\ inn 

~. 7 ™ i,» imi „„*k CacheSize: a maximum number of media data files 200 

reservations. The commerce module 1012 interlaces with 

the merchant server 132 to provide and secure reservations mat can °° cacned - 

for media data files. #I terns: the current number of media data files 200 in the 

The commerce module 1012 also delivers media vouchers 65 cache. 

300 to the media players 116, including the generation and #Access: the total number of accesses to media data files 

validation of receipt tokens and authorization tokens. 200. 
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#Misses: the number of accesses to media data files 200 
that were not in the cache. These three data values 
allows the system provider to determine whether an 
increase in the cache size is appropriate. 

#In-cache: the number of access to media data files 200 
currently in the cache. 

#DS: the number of delivery servers connected to the 
content manager 112. 

DS Address n: the network address of the nth delivery 
server 118. 

^Streams n: the number of streams allocated to the nth 
delivery server 118. 

#190 Used a: the number of streams used by the nth 
delivery server 118. 

Logging Module 1014: This module provides for error 
logging of errors during communications between the con- 
tent manager 112 and other system components; purchase 
logging to log each purchase of a media data file 200; and 
preview logging to log each preview of a media data file. 
These logs are used by the right reporting module 1008 to 
generate and report sales, usages, and chargebacks of media 
data files 200. 

Rights Reporting Module 1008: This module communi- 
cates with the rights agents 108 to report usage rates and 
totals for the various media data files 200 within the system. 
Rights reporting includes the identity of each media data file 
purchased or downloaded, the type of use, and any agency 
information or codes specifically designated for the media 
data file 200. 

Certificate Update Module 1016: This module interfaces 
with the media licensing center 110 to receive updates of the 
certificate of the content manager 112. The certificate of the 
content manager 112 is issued with short validity periods, 
preferably about 1 to 2 weeks. This requires the content 
manager 112 to be recertified on a regular basis, ensuring 
that the content manager 112 remains authenticated over 
time. 

Delivery Server 

Referring to FIG. 11, there is shown the software archi- 
tecture of one embodiment of a delivery server 118. The 
delivery server 118 includes a request processor 1102, a 
preview module 1104, purchase module 1106, and a content 
manager communications module 1108. 

Request Processor 1102: This module handles requests 
from Web browser 128 to preview or purchase media data 
files. A request is sent to either the preview module 1104 or 
purchase module 1106, depending on the type of request, as 
encoded in the URL passed to the HTTP server 122. This 
module provides a DS Register function, registers the net- 
work address of the delivery server 118 with the content 
manager 112. 

Content Manager Communications Module 1108: This 
module establishes an unsecure TCP connection to the 
content manager 112 to obtain configuration information, 
validate voucher IDs, obtain current media information, 
obtain purchase validation information and digital signing 
information. 

Preview Module 1104: This module responds to requests 
to stream media data for real time playback of audio by the 
media player 116. This module provides the following 
functions: 

Allocate Stream: this message is sent by the preview 
module 1104 to the content manager 112 to indicate that a 
stream has been allocated for a particular preview request. 
The message specifies the voucher ID for the request, the 
network address of the media player 116 to receive the 
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stream, the requested bandwidth by the media player 116, 

and the media ID for the file to be stream. 
Release Stream: this message is sent by the preview 

module 1104 to the content manager 112 to release a stream 
5 following completion of a request. The message includes the 

voucher ID, error status, duration of the stream, and identity 

of the audio image that was streamed. 
The module also implements a streaming protocol to 

stream the media data, based on RFC-1889, and RFC-1890, 
10 Real Time Transfer Protocol. The streaming protocol 

includes: 

Initiate: this message is sent by a media player 116 to 
initiate a connection to the delivery server 118; the message 
includes the network address of the delivery server 118 

is (from the media voucher 300), the port of the player to 
receive the stream, bandwidth, voucher ID, and media ID. 

Stream Ready: this message is sent by the delivery server 
118 to the media player 116 to provide clip and song 
parameters for previewing a file, including lead-in and 

20 lead-out, fade-in and fadeout, bandwidth, and duration. 
Actual streaming is managed by a transport control pro- 
tocol. Transport messages describe specific times in the 
audio image 208 to be accessed to begin streaming playback. 
Since the delivery server 118 can only seek to well defined 

25 places in the audio image 208 (as defined in the index table), 
the media player 116 must first determine a nearest time to 
begin streaming. Accordingly, the preview module 1104 
exports a Query lime function, which requests a desired 
starting time. The preview module 1104 responds to a Query 

30 Time function with a Nearest Time message indicating the 
time nearest to the desired starting time, and a number of 
bytes to be sent from the specified time to the end of a clip. 
A Transport function, taking a specified time (the nearest 
time response), instructs the preview module 1104 to begin 

35 streaming at the specified time. 

Purchase Module 1106: This module manages a secure 
channel of communication based on a shared "secret" which 
is the receipt token that the security module 1004 generates 
as part of the media voucher 300. This module exports the 

40 following functions: 

Redeem Initiate: This message is sent by the media player 
116 to initialize a connection for the downloading a media 
data file 200. 

Redeem Approved: This message is sent by the purchase 
45 module 1106 to the media player 116 if the purchase request 
is approved by validation of the encrypted validation infor- 
mation. 

Redeem Start: This message is sent by the media player 
116 to initiate the download itself. 
50 Get Info: This message is sent by the purchase module 
1106 to the content manager 112 to request the media 
descriptive data. 

Redeem Data Transfer Done: This message is sent by the 
purchase module 1106 when all the data has been trans- 
55 ferred. 

Media Licensing Center 

The media licensing center 110 is responsible for the 
generation of certificates to the other system components, 
and the generation of key pairs for the media player 116. 
60 FIG. 12 illustrates one embodiment of the software archi- 
tecture of the media licensing center 110. The media licens- 
ing center 110 includes the following modules: 

Key Generation Module 1202: This module provides 
public/private key pairs for the media player 116 and pos- 
65 sibly for content managers as well. 

Request Handler Module 1204: This module deals with 
all external communication to the media licensing center 
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110. This may be via a Web page form for a user requesting 
a passport or a content manager 112 certificate that will be 
routed to the authentication module 1206 or for requesting 
recovery for a lost passport or a forgotten passphrase. 

Authentication Module 1206: This module authenticates a 
user identity with some external system to verify address, 
and to separately validate credit card through a payment 
processing system 134 for requesting a passport. For content 
manager certificates it verifies that there is an account setup 
for the particular music distribution center 124 making the 
request. 

Certificate Generation Module 1208: This module pro- 
vides the certificates for all other system components; in this 
fashion the media licensing center 110 acts as a certificate 
authority. The certificates are preferably ISO X.509 
compliant, and include the public key of the requesting 
entity (whether generated by that entity or by the key 
generation module 1202), information identifying the 
requesting entity, validity information, and a digital signa- 
ture of the media licensing center 110. The digital signature 
is preferably generated according to RSA Laboratories' 
PKCS #1 specification. In particular, this module produces 
the consumer certificate 402 during registration 600. 

Passport Generation Module 1210: This module receives 
a consumer certificate 402 from the certificate generation 
module 1208, the consumer's private key from the key 
generation module 1202, and user personal information 
from the Web browser 128 registration form, generates the 
registration key 420, and packages all of this data as a 
registration file to be delivered to the media player 116. 

Certificate Database Module 1212: This module is a data 
repository for persistently storing pertinent consumer iden- 
tifying information and tie registration key to enable recov- 
ery of passports 400. It also stores account information for 
music distribution centers. 

Administration Module 1214: This module generates 
reports on the number of passports 400 and certificates 
issued, currently valid certificates, and expired certificates, 
and the like. 

Certificate Update Module 1216: The certificate issued by 
the certificate generation module 1208 will have varying 
validity periods. The validity period for consumer certifi- 
cates is 1 year. The validity period for the content manager 
112 and delivery server 118 is about 2 to 4 weeks. The 
certificate update module 1216 periodically reviews the 
passport database 1212 to determine which certificates have 
expired. It then authenticates the entities holding these 
certificates and issues new certificates. 

Media Player 

Referring to FIG. 13 there is shown an illustration of the 
software architecture of the media player 116. The media 
player 116 provides for decryption and playback of media 
data files, and for recording an audio data file from a media 
data file onto a recordable Compact Disc (CD) for later 
playback on conventional CD players. The media player 116 
interfaces with the delivery server 118 to receive media data 
files. The media player 116 includes the following modules: 

User Interface Module 1314: This module provides a user 
interface for controlling the playback of audio data including 
controls for playing, fast forwarding, reversing, pausing 
playback, and along with displays and controls for viewing 
time, time remaining, artist and track information, cover and 
promotional illustration art, and lyrics. These controls oper- 
ate with respect to both streaming of audio data from a 
delivery server 118 during a preview transaction, and play- 
back of locally stored audio data, including audio recorded 
by the user onto compact disk. The various controls invoke 
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functions which generate the transport protocol and down- 
load protocol messages to the delivery server 118. 

Network Communication Module 1300: This module 
manages the interface of the media player 116 with the 

5 network, including establishing TCP connections over either 
secure or unsecure channels with a delivery server 118 or its 
proxy. The network communication module 1300 provides 
functions establishing the connection, requesting media to 
preview or purchase, playback controls such as stop, start at 

10 time offset, and the like, and connection shutdown. 

Passport Management Module 1302: This module is 
responsible for managing the user's passport. This module 
operates during registration of the media player 116, and 
during playback of audio data. During registration, the Web 

15 browser 128 receives via an SSL connection from the 
passport generation module 1210 of media licensing center 
110 a registration file that contains the data to be used in a 
user's passport, and stores it locally in the client computer 
126. The registration file is not encrypted. The Web browser 

20 128 invokes the media player 116 and provides it with the 
file name and path of this registration file. The passport 
management module 1302 imports from this registration file 
the passport data and encrypts its with a user specified 
passphrase. During playback, the passport management 

25 module 1302 is used to first decrypt the passport using the 
passphrase, and then decrypt the media key stored therein 
using the user's private key. The media key is then used by 
the Playback Module 1316 to decrypt the encrypted audio 
data in a purchased media data file. In addition the passport 

30 management module 1302 decrypts the personal informa- 
tion 414 from the passport 400, including the user's name 
and confidential information, such as the credit card number, 
and provides it to the user interface module 1314 for display 
during playback. 

35 Encryption of the audio images with the media key is 
provided with DES or RSA Data Security's RC4 algorithm. 
As the audio images are also compressed, the decompres- 
sion algorithm typically consumes most of the computation 
resources. 

40 Purchase Module 1304: This module is responsible for 
managing the purchase of media data files. This module 
interfaces with the Web browser 128 to receive therefrom a 
media voucher 300 identifying the media to be purchased 
and the delivery server 118 to fulfill delivery. This module 

45 then communicates with the delivery server 118 to securely 
download the media data file, including generation of down- 
load messages according to the delivery server 118 down- 
load protocols, The module also interfaces with the passport 
management module 1302 to obtain the consumer certificate 

50 402 from the passport 400. The consumer certificate is 
provided to the delivery server 118, which passes it to the 
content manager 112 to encrypt the media key with the 
consumer's public key contained therein. 

Preview Module 1306: This module manages the request 

55 and acquisition and real time streaming of media from the 
delivery server 118. The preview module 1306 interfaces 
with the delivery server 118 via the transport controls to 
stream media for previewing and free download. 

File Management Module 1308: This module provides for 

60 reading and writing of media data files 200 to the local hard 
disk of the client computer system 126. 

CD Device Management Module 1310: This module 
formats a media data file 200 for writing on CD -Recordable, 
or other writable device. Formatting includes decompression 

65 and formatting to Red Book standards. Preferably the 
decompressed data is kept encrypted before it's written to 
the device. 
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Track List Module 1312: This module organizes the 
user's media data files into various lists of media tracks, and 
provides a user interface to access and manage this infor- 
mation. This enables the user to create lists of media to be 
recorded to a CD or the like. 

Playback Module 1316: This module is responsible for 
the actual playback of a media data file 200, including 
decryption of the audio image 208 using the media key. The 
playback module 1316 implements controls to start, stop, 
pause, reverse, and fast forward playback. 

We claim: 

1. A computer-implemented online music distribution 
system for distributing digital media data files, including 
audio data, over a public communications network, the 
system comprising: 

a content manager that transmits validation data uniquely 
associated with a purchase of a selected one of the 
media data files and a network address of a delivery 
server to deliver the selected media data file to a client 
computer system including a media player for playing 
back the audio data of the selected media data file; 

the media player, storing encryption data assigned spe- 
cifically to the media player, that receives the validation 
data from the content manager, and transmits the vali- 
dation data to the delivery server specified by the 
network address in the validation data; and 

the delivery server that verifies the validation data 
received from the media player using the content 
manager and receives the selected media data file from 
the content manager and securely retransmits the 
selected media data file to the media player, wherein the 
selected media data file includes the audio data of the 
selected media data file encrypted using the encryption 
data of the media player, the media player adapted to 
decrypt the audio data of the selected media data file 
using the encryption data, and playback resulting 
decrypted audio data; 

wherein the media player displays confidential informa- 
tion of a purchaser of the media data file during 
playback of the decrypted audio data. 

2. The system of claim 1, wherein the confidential infor- 
mation is a credit card number of the purchaser. 

3. The system of claim 1, wherein the media player 
displays the confidential information in response to a request 
by a user of the media player. 

4. A computer-implemented online music distribution 
system for distributing digital media data files, including 
audio data, over a public communications network, the 
system comprising: 

a content manager that transmits validation data uniquely 
associated with a purchase of a selected one of the 
media data files and a network address of a delivery 
server to deliver the selected media data file to a client 
computer system including a media player for playing 
back the audio data of the selected media data file; 

the media player, storing encryption data assigned spe- 
cifically to the media player, that receives the validation 
data from the content manager, and transmits the vali- 
dation data to the delivery server specified by the 
network address in the validation data; and 

the delivery server that verifies the validation data 
received from the media player using the content 
manager and receives the selected media data file from 
the content manager and securely retransmits the 
selected media data file to the media player, wherein the 
selected media data rile includes the purchased audio 
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data encrypted using the encryption data of the media 
player, the media player adapted to decrypt the audio 
data of the selected media data file using the encryption 
data, and playback the resulting decrypted audio data; 
wherein the content manager stores, prior to a purchase, 
the audio data of each media data file encrypted with an 
associated media key the media key encrypted with a 
public key of the content manager, and responsive to a 
purchase of a media data file, removes the content 
manager public key from the media key, and encrypts 
the media key with a public key of the media player to 
receive the selected media data file. 

5. A computer-implemented online music distribution 
system for distributing digital media data files, including 
audio data, over a public communications network, the 
system comprising: 

a content manager that transmits validation data uniquely 
associated with a purchase of a selected one of the 
media data files and a network address of a delivery 
server to deliver the selected media data file to a client 
computer system including a media player for playing 
back the audio data of the selected media data file; 

the media player, storing encryption data assigned spe- 
cifically to the media player, that receives the validation 
data from the content manager, and transmits the vali- 
dation data to the delivery server specified by the 
network address in the validation data; and 

the delivery server that verifies the validation data 
received from the media player using the content 
manager and receives the selected media data file from 
the content manager and securely retransmits the 
selected media data file to the media player, wherein the 
selected media data file includes the audio data of the 
selected media data file encrypted using the encryption 
data of the media player, the media player adapted to 
decrypt the audio data of the selected media data file 
using the encryption data, and playback resulting 
decrypted audio data; 

wherein upon request from the client computer system for 
a preview of the selected media data file, the content 
manager queries a database system for updated media 
descriptive data about the selected media data file to be 
provided to the media player; 

further wherein responsive to the updated media descrip- 
tive data being present in the database system, the 
content manager delivers the updated media descriptive 
data to the delivery server for subsequent transmission 
to the client computer system; and 

further wherein the content manager queries the database 
system using individual data from the media player for 
customized media descriptive data about the selected 
media data file to be provided to the media player. 

6. A computer- implemented online music distribution 
system for distributing digital media data files, including 
audio data, over a public communications network, the 
system comprising: 

a content manager that transmits validation data uniquely 
associated with a purchase of a selected one of the 
media data files and a network address of a delivery 
server to deliver the selected media data file to a client 
computer system including a media player for playing 
back the audio data of the selected media data file; 

the media player, storing encryption data assigned spe- 
cifically to the media player, that receives the validation 
data from the content manager, and transmits the vali- 
dation data to the delivery server specified by the 
network address in the validation data; 
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the delivery server that verifies the validation data 
received from the media player using the content 
manager and receives the selected media data file from 
the content manager and securely retransmits the 
selected media data file to the media player, wherein the 
selected media data file includes the audio data of the 
selected media data file encrypted using the encryption 
data of the media player, the media player adapted to 
decrypt the audio data of the selected media data file 
using the encryption data, and playback resulting 
decrypted audio data; 

wherein upon request from the client computer system for 
a preview of the selected media data file, the content 
manager queries a database system for updated media 
descriptive data about the selected media data file to be 
provided to the media player; 

further wherein responsive to the updated media descrip- 
tive data being present in the database system, the 
content manager delivers the updated media descriptive 
data to the delivery server for subsequent transmission 
to the client computer system; and 

further wherein the media descriptive data comprises a 
graphics image, and a uniform resource locator that 
initiates from the media player the purchase of the 
selected media data file. 

7. A computer-implemented online music distribution 
system for distributing digital media data files, including 
audio data, over a public communications network, the 
system comprising: 

a content manager that transmits validation data uniquely 
associated with a purchase of a selected one of the 
media data files and a network address of a delivery 
server to deliver the selected media data file to a client 
computer system including a media player for playing 
back the audio data of the selected media data file; 

the media player, storing encryption data assigned spe- 
cifically to the media player, that receives the validation 
data from the content manager, and transmits the vali- 
dation data to the delivery server specified by the 
network address in the validation data; and 

the delivery server that verifies the validation data 
received from the media player using the content 
manager and receives the selected media data file from 
the content manager and securely retransmits the 
selected media data file to the media player, wherein the 
selected media data file includes the audio data of the 
selected media data file encrypted using the encryption 
data of the media player, the media player adapted to 
decrypt the audio data of the selected media data file 
using the encryption data, and playback resulting 
decrypted audio data; 

wherein the content manager provides the media player 
with media descriptive data associated with the selected 
media data file, the media descriptive data including a 
promotional graphics image, and a uniform resource 
locator that initiates from the media player a promotion 
related to the media data file. 

8. A computer-implemented method for distributing 
media data files including audio data to purchasers via a 
public communications network, the method comprising: 

storing a plurality of media data files, each media data file 
including at least one audio image of a song encrypted 
with an associated media key, each media data file 
associated with a media ID for identifying the media 
data file; 

receiving a request to purchase a selected one of the media 
data files, the request including the media ID of the 
selected media data file; 
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generating a voucher ID associated with the purchase of 
the selected media data file, a receipt token, and net- 
work addressing information of a delivery server to 
deliver the selected media data file; 
5 responsive to receiving an authorization of the purchase 
of the selected media data file, transmitting the voucher 
ID, receipt token, and the network addressing informa- 
tion to a media player to receive the selected media data 
file; 

30 receiving a data packet including an authenticated 
voucher ID including the receipt token, a public key of 
the media player, and a digital signature of the data 
packet formed using a private key of the media player; 
responsive to successfully verifying the authenticated 
voucher ID against the firstmentioned voucher ID, 
encrypting the associated media key of the selected 
media data file with the public key of the media player 
to form an encrypted media key; and 
20 authorizing delivery of the selected media data file by 
transmitting the encrypted media key and the media ID 
of the selected media data file. 

9. The computer implemented process of claim 8, further 
comprising: 

25 generating and transmitting the associated media key for 
encrypting the audio image in the selected media data 
file, and the public key for encrypting the associated 
media key; and 
receiving the selected media data file including the audio 

30 image encrypted with the associated media key, and the 
encrypted media key. 

10. The computer implemented method of claim 8, further 
comprising: 

generating, for a purchaser, a digital passport including 
35 the public key and the private key for the media player, 
a consumer certificate, personal information identify- 
ing the purchaser, and confidential information of the 
purchaser; and 
transmitting the digital passport of the purchaser to the 
40 media player, wherein the media player stores the 
passport in a local memory, to provide the public key 
to the content manager. 

11. The computer implemented method of claim 8, further 
comprising: 

displaying confidential information of a purchaser of the 
selected media data file during playback of the audio 
data of the selected media data file. 

12. The computer implemented method of claim 11, 
wherein the confidential information is a credit card number 
of the purchaser. 

13. The computer implemented method of claim 8, further 
comprising: 

displaying confidential information of a purchaser of the 
55 selected media data file during playback of the audio 
data of the selected media data file in response to a 
request by a user of the media player. 

14. The computer implemented method of claim 8, further 
comprising: 

60 receiving the selected media data file from an authoring 
tool, the selected media data file including the at least 
one audio image encrypted with the associated media 
key, the associated media key encrypted with a public 
key of a transaction processor; 

65 parsing the selected media data file and selectively 
importing data of the selected media data file into a 
database; and 
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storing the selected media data file, and the associated 
media key in a local file system managed by the 
transaction processor. 

15. The computer implemented method of claim 8, further 
comprising: 

storing, prior to a purchase, the audio data of each of the 
plurality of media data files encrypted with the asso- 
ciated media key, the associated media key encrypted 
with a public key of a transaction processor; and 

responsive to the request to purchase of the selected 
media data file, removing transaction processor public 
key from the associated media key of the selected 
media data file, and encrypting the associated media 
key of the selected media data file with the public key 
of the media player. 

16. The computer implemented method of claim 8, 
wherein each of the plurality of media data files includes: 

at least a high-quality encrypted one of the at least one 
audio images wherein the high-quality encrypted audio 
image represents a full length high quality version of 20 
the song; and 

at least a lower-quality unencrypted one of the at least one 
audio images wherein the lower-quality un-encrypted 
audio image represents a lower quality version of the 
song. 

17. The computer implemented method of claim 8, further 
comprising: 

receiving a request for a preview of the selected media 
data file prior to a purchase of the selected media data 
file; 

responsive to the request for the preview, authorizing 
delivery of at least one un-encrypted audio image of the 
at least one audio images of the selected media data file 
to the media player; and 

receiving at the media player the un-encrypted audio 
image and playing the un-encrypted audio image as 
preview of the selected media data file. 

18. The computer implemented method of claim 8, further 
comprising: 

responsive to a request for a preview of the selected media 
data file, obtaining updated media descriptive data 
about the selected media data file; and 

transmitting the updated media descriptive data to the 
media player. 

19. The computer implemented method of claim 18, 
wherein the updated media descriptive data comprises a 
graphics image, and a uniform resource locator to initiate a 
purchase of the media data file by delivery of an encryption 
key to decrypt the encrypted audio data. 

20. The computer implemented method of claim 8, further 
comprising: 

securely storing purchase information for each purchase 
of an audio data file in a secure transaction log. 

21. The computer implemented method of claim 20, 
wherein the secure transaction log includes a plurality of log 
entries of purchases of audio data files, each log entry 
encrypted with a unique encryption key. 

22. A computer implemented online music distribution 
system for distributing digital media data files, including 
audio data, over a public communications network, the 
system comprising: 

(a) a content manager that: 

(i) receives a request to reserve a selected one of the 
media data files for a purchase transaction; 

(ii) generates a media voucher including a voucher ID 
associated with the purchase transaction, a receipt 



token used to validate the voucher ID, a media ID 
identifying the selected media data file, and network 
addressing information of a delivery server to deliver 
the selected media data file; 
(iii) transmits the media voucher to a client computer 
system including a media player for playing back the 
audio data of the selected media data file; 

(b) the media player, storing a public key/private key pair 
assigned specifically to the media player, that: 

(i) receives the media voucher from the content man- 
ager; 

(ii) generates a data packet containing: 

(1) data representing the voucher ID; 

(2) a public key of the public key/private key pair of 
the media player; and 

(3) a signature of the data packet formed using a 
private key of the public key/private key pair of 
the media player; and 

(iii) transmits the data packet to the delivery server 
specified by the network addressing information in 
the media voucher; and 

(c) the delivery server that: 

(i) receives and parses the data packet, and transmits 
the voucher ID to the content manager; 

(ii) receives from the content manager the selected 
media data file includes the audio data of the selected 
media data file encrypted with a media key, the 
media key encrypted with the public key of the 
media player; and 

(iii) transmits the selected media data file to the media 
player, the media player adapted to playback the 
media data file by decryption of the media key with 
the private key. 

23. The system of claim 22, further comprising: 
a media licensing center that: 

(a) receives, from the client computer system, personal 
information identifying a purchaser and confidential 
information of the purchaser; 

(b) generates the public key/private key pair for the 
media player; 

(c) generates a digital passport including: 

(i) a consumer certificate including the public key; 

(ii) the private key, encrypted with a registration key; 
and 

(iii) the personal information and the confidential 
information, encrypted with the registration key; 

(d) transmits the digital passport to the media player, 
wherein the media player stores the digital passport 
in a local memory of the client computer system, to 
provide the public key to the content manager. 

24. The system of claim 23, wherein the media licensing 
center includes a secure transaction log including a plurality 
of log entries of purchases of audio data files, the content 
manager periodically updating the transaction log to reflect 

55 new purchases of audio data files. 

25. A computer implemented online distribution system 
for distributing digital media data files, including audio data, 
over a public communications network, the system com- 
prising: 
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a content manager that stores a plurality of media data 
files, each media data file including at least one 
encrypted high quality full length audio data file, and at 
least one unencrypted low quality audio data file, 
transmits validation data uniquely associated with a 
preview of a selected one of the media data files and a 
network address of a delivery server to deliver the 
selected media data file to a client computer system 
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including a media player for playing back the audio 
data of the selected media data file; 

the media player, that receives the validation data from the 
content manager, and transmits the validation data to 
the delivery server specified by the network address in 5 
the validation data; and 

the delivery server that verifies the validation data 
received from the media player using the content 
manager to validate the preview of the selected media 
data file by the media player, and receives the selected 
media data file from the content manager and retrans- 
mits the selected media data file to the media player, 
wherein the selected media data file includes the unen- 
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crypted low quality audio data, the media player 
adapted to playback the unencrypted low quality audio 
data as the preview of the selected media data file as the 
unencrypted audio data is received; 
wherein the selected media data file received from the 
delivery server includes a uniform resource locator to 
initiate a purchase of the encrypted high quality audio 
data in the media data file by delivery of an encryption 
key from the content manager to the media player, and 
without requiring the delivery server to retransmit the 
media data file to the media player. 

***** 
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